SSL on Open vSwitch and ovs controller

There are two places that SSL will need to be configured if SSL is to be used between the controller and the Open vSwtich. The instructions below assume an installation of Open vSwitch using Ubuntu packages. If you installed by alternate means, the location of the openvswitch/pki might be different.

Open vSwtich Setup

Create all the keys and register them with Open vSwitch.

cd /etc/openvswitch
sudo ovs-pki req+sign sc switch
sudo ovs-vsctl set-ssl     /etc/openvswitch/sc-privkey.pem     /etc/openvswitch/sc-cert.pem     /var/lib/openvswitch/pki/controllerca/cacert.pem

The above might not be the most secure way to manage the keys, but again, this is for research and experimentation.

Open vSwtich test controller ovs-controller Setup

Create all the keys.

cd /etc/openvswitch
sudo ovs-pki req+sign ctl controller
Running a Sample Test

In one window, let’s start the ovs-controller with SSL support.

sudo ovs-controller -v pssl:6633      -p /etc/openvswitch/ctl-privkey.pem      -c /etc/openvswitch/ctl-cert.pem      -C /var/lib/openvswitch/pki/switchca/cacert.pem

Next, below is a sample Mininet Python script. Run this Mininet script that creates a simple single switch topology and sets the controller to SSL.

#!/usr/bin/python
from mininet.net import Mininet
from mininet.node import Controller, RemoteController
from mininet.cli import CLI
from mininet.log import setLogLevel, info

def emptyNet():
    net = Mininet( controller=RemoteController )
    net.addController( ‘c0‘ )
    h1 = net.addHost( ‘h1‘ )
    h2 = net.addHost( ‘h2‘ )
    s1 = net.addSwitch( ‘s1‘ )
    net.addLink( h1, s1 )
    net.addLink( h2, s1 )

    net.start()
    s1.cmd(‘ovs-vsctl set-controller s1 ssl:127.0.0.1:6633‘)

    CLI( net )
    net.stop()

if __name__ == ‘__main__‘:
setLogLevel( ‘info‘ )
emptyNet()

When you run the script, you will see that a PingAll test ran and passed. You can also check and see that switch is connected using SSL.

[email protected]:~$ sudo ovs-vsctl show
902d6aa3-6a0a-4708-a286-3301c8b36430
    Bridge "s1"
        Controller "ssl:127.0.0.1:6633"
            is_connected: true
        fail_mode: secure
        Port "s1"
            Interface "s1"
                type: internal
        Port "s1-eth1"
            Interface "s1-eth1"
        Port "s1-eth2"
            Interface "s1-eth2"
    ovs_version: "2.0.1"

SSL on Open vSwitch and ovs controller

时间: 2024-11-09 00:15:04

SSL on Open vSwitch and ovs controller的相关文章

[转]SSL on Open vSwitch and ovs controller

There are two places that SSL will need to be configured if SSL is to be used between the controller and the Open vSwtich. The instructions below assume an installation of Open vSwitch using Ubuntu packages. If you installed by alternate means, the l

XenServer的网络堆栈Open vSwitch模式

在上一篇文章中,我们介绍了XenServer的Bridge网络堆栈模式,现在在本篇文档中,我们将介绍XenServer支持的另一种开源的网络堆栈模式:open vswitch.XenServer现在安装部署的版本中默认采用open vswitch模式,如果我们不需要做LACP或者绑定更多的网卡及使用分布式交换机,那么建议在生产环境中还是使用Linux Bridge模式. Open vSwitch是一款开源的软件虚拟交换机,适用于基于Linux的虚拟化平台.实质上Citrix也将其集成到自己的Xe

Neutron 理解 (2): 使用 Open vSwitch + VLAN 组网 [Netruon Open vSwitch + VLAN Virutal Network]

学习 Neutron 系列文章: (1)Neutron 所实现的虚拟化网络 (2)Neutron OpenvSwitch + VLAN 虚拟网络 (3)Neutron OpenvSwitch + GRE/VxLAN 网络 (4)Neutron L3 agent (5)TBD 1. L2 基础知识 1.1 VLAN 基础知识 LAN 表示 Local Area Network,本地局域网,通常使用 Hub 和 Switch 来连接LAN 中的计算机.一般来说,当你将两台计算机连入同一个 Hub 或

如何启用Open vSwitch的日志功能以便调试和排障

Open vSwitch(OVS)是Linux平台上最流行的开源的虚拟交换机.由于当今的数据中心日益依赖于软件定义网络(SDN)架构,OVS被作为数据中心的SDN部署中的事实标准上的网络元素而得到飞速应用. Open vSwitch具有一个内建的日志机制,它称之为VLOG.VLOG工具允许你在各种网络交换组件中启用并自定义日志,由VLOG生成的日志信息可以被发送到一个控制台.syslog以及一个便于查看的单独日志文件.你可以通过一个名为ovs-appctl的命令行工具在运行时动态配置OVS日志.

ovs

1.Open vSwitch* with DPDK Overview: https://software.intel.com/en-us/articles/open-vswitch-with-dpdk-overview2.Open vSwitch hardware offloading: https://docs.openstack.org/neutron/rocky/admin/config-ovs-offload.html3.针对Open vSwitch(OVS)应用的FPGA加速: htt

CloudStack全局配置參数

參数 描写叙述 类型 默认值 account.cleanup.interval 清除用户账户所须要等待的时间(秒) 整数 86400 agent.lb.enabled If agent load balancing enabled in cluster setup true/false false agent.load.threshold  Percentage (as a value between 0 and 1) of connected agents after which agent

OpenStack私有云部署

OpenStack简介 OpenStack(iaaS,基础设施即服务)是一个开源的项目,为用户提供了一个部署云计算的操作平台.在OpenStack管理下的云平台充分利用了底层的硬件资源,且平台更易于扩展和管理.OpenStack内部有多个项目,提供不同的服务,包括网络,计算,存储,虚拟化等各方面.其中核心的几个项目如下: Identity Service:Keystone(代码名称).认证平台,为其他服务提供身份认证,服务令牌的功能.还提供一个服务目录,每一个服务的添加都需要在Keystone中

CloudStack全局配置参数

account.cleanup.interval 清除用户账户所需要等待的时间(秒):类型:整数:默认86400 agent.lb.enabled    false    If agent load balancing enabled in cluster setup agent.load.threshold    0.7    Percentage (as a value between 0 and 1) of connected agents after which agent load b

8.OpenStack网络组件

添加网络组件 安装和配置控制器节点 创建数据库 mysql -uroot -ptoyo123 CREATE DATABASE neutron; GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'localhost' IDENTIFIED BY 'toyo123'; GRANT ALL PRIVILEGES ON neutron.* TO 'neutron'@'%' IDENTIFIED BY 'toyo123'; exit 创建服务凭据 source